Skip to content

Instantly share code, notes, and snippets.

@MarkWarneke
Last active July 23, 2020 13:42
Show Gist options
  • Save MarkWarneke/3c7887d2ec57bb10729aa43b36764b25 to your computer and use it in GitHub Desktop.
Save MarkWarneke/3c7887d2ec57bb10729aa43b36764b25 to your computer and use it in GitHub Desktop.
Create a Clone Service Principal https://markwarneke.me/2020-04-02-Clone-AzureAd-Service-Principal/ you can run the following automation steps. Make sure the authenticated user executing the steps has at least the Application Administrator Azure AD role - as this role is needed for the last step to grant permissions.
# Make sure we are connected using a user principal that has Azure AD Admin permissions.
az logout
az login
# Name of the Clone Service Principal
appName="CloneServicePrincipal"
# Retrieve the teannt it
tenantId=$(az account show --query tenantId -o tsv)
# Create the Clone Service Principal
appId=$(az ad app create --display-name $appName --query appId -o tsv)
sp=$(az ad sp create --id $appId)
# Microsoft Graph API
API_Microsoft_Graph="00000003-0000-0000-c000-000000000000"
# Application.ReadWrite.OwnedBy
PERMISSION_MG_Application_ReadWrite_OwnedBy="18a4783c-866b-4cc7-a460-3d5e5662c884"
# Azure Active Directory Graph API
API_Windows_Azure_Active_Directory="00000002-0000-0000-c000-000000000000"
# Application.ReadWrite.OwnedBy
PERMISSION_AAD_Application_ReadWrite_OwnedBy="824c81eb-e3f8-4ee6-8f6d-de7f50d565b7"
# Request Microsoft Graph API Application.ReadWrite.OwnedBy Permissions
az ad app permission add --id $appId --api $API_Microsoft_Graph --api-permissions $PERMISSION_MG_Application_ReadWrite_OwnedBy=Role
az ad app permission grant --id $appId --api $API_Microsoft_Graph --scope $PERMISSION_MG_Application_ReadWrite_OwnedBy
# Request Azure Active Directory Graph API Application.ReadWrite.OwnedBy Permissions
az ad app permission add --id $appId --api $API_Windows_Azure_Active_Directory --api-permissions $PERMISSION_AAD_Application_ReadWrite_OwnedBy=Role
az ad app permission grant --id $appId --api $API_Windows_Azure_Active_Directory --scope $PERMISSION_AAD_Application_ReadWrite_OwnedBy
# Grant Application & Delegated permissions through admin-consent
az ad app permission admin-consent --id $appId
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment